traveler/Netgrimoire
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
Netgrimoire/False Grimoire/Work/Cisco/Nexus_NTP.md
traveler 2aff30ab71 prep for new grimoire
2026-04-12 09:39:57 -05:00

13 KiB
Raw Blame History

title description published date tags editor dateCreated
NTP Deep dive on the Nexus Config and troubleshoot true 2026-03-31T20:46:08.474Z markdown 2026-03-31T20:45:58.287Z

Cisco Nexus 93180 NTP Configuration and Troubleshooting Guide

Overview

This guide provides complete NTP (Network Time Protocol) configuration steps and troubleshooting procedures for the Cisco Nexus 93180 switch running NX-OS. Accurate time synchronization is critical for logging, AAA, certificates, and distributed system correlation.

NTP Configuration

Basic NTP Server Configuration

configure terminal

! Enable NTP feature (if not already enabled)
feature ntp

! Configure NTP servers (use multiple servers for redundancy)
ntp server 10.1.1.10 prefer use-vrf management
ntp server 10.1.1.11 use-vrf management
ntp server 192.0.2.1 use-vrf default

! Configure NTP source interface (optional but recommended)
ntp source-interface mgmt0

! Set timezone (adjust to your location)
clock timezone EST -5 0

! Configure daylight saving time (if applicable)
clock summer-time EDT 2 Sunday March 02:00 1 Sunday November 02:00 60

! Save configuration
copy running-config startup-config

NTP Authentication (Recommended for Production)

configure terminal

! Enable NTP authentication
ntp authenticate

! Create authentication keys
ntp authentication-key 1 md5 YourSecureKey123 7
ntp authentication-key 2 md5 AnotherSecureKey456 7

! Specify trusted keys
ntp trusted-key 1
ntp trusted-key 2

! Apply authentication to NTP servers
ntp server 10.1.1.10 prefer use-vrf management key 1
ntp server 10.1.1.11 use-vrf management key 2

copy running-config startup-config

NTP Access Control (Security Best Practice)

configure terminal

! Define access control for NTP
! peer: Allow sync and queries
! serve: Respond to queries only
! serve-only: Respond to queries but don't sync
! query-only: Allow queries only

ntp access-group peer PeerACL
ntp access-group serve ServeACL
ntp access-group query-only QueryACL

! Create ACLs
ip access-list NTP-Peers
  10 permit ip 10.1.1.0/24 any
  20 deny ip any any

ip access-list NTP-Serve
  10 permit ip 10.0.0.0/8 any
  20 deny ip any any

copy running-config startup-config

NTP Master Configuration (Switch as Time Source)

configure terminal

! Configure switch as NTP master (stratum level)
! Only use if external NTP servers are unavailable
ntp master 8

! This makes the switch authoritative at stratum 8
! Lower stratum = higher priority (1 is highest)

copy running-config startup-config

Logging NTP Events

configure terminal

! Enable logging for NTP
ntp logging

! Adjust logging level if needed
logging level ntp 6

copy running-config startup-config

Verification Commands

Check NTP Status

! Show NTP status summary
show ntp status

! Expected output when synchronized:
! Clock is synchronized, stratum 3, reference is 10.1.1.10
! nominal freq is 250.0000 Hz, actual freq is 250.0010 Hz, precision is 2**18
! reference time is E8C9A234.1F2E3D4C (10:15:48.121 EST Mon Jan 15 2024)
! clock offset is -0.0023 msec, root delay is 12.34 msec
! root dispersion is 45.67 msec, peer dispersion is 1.23 msec

Check NTP Peers

! Show all NTP peers and their status
show ntp peers

! Column descriptions:
! * = synchronized, + = candidate, # = selected
! remote: NTP server address
! ref clock: reference source of the server
! st: stratum level
! when: last packet received (seconds)
! poll: polling interval
! reach: reachability (377 = all 8 attempts successful)
! delay: round-trip delay (ms)
! offset: time difference (ms)
! jitter: dispersion (ms)

Check NTP Statistics

! Show detailed peer statistics
show ntp peer-status

! Show specific peer details
show ntp peer 10.1.1.10

Check NTP Authentication

! Verify authentication keys
show ntp authentication-keys

! Check authentication status
show ntp authentication-status

Check Time Configuration

! Display current clock settings
show clock detail

! Show timezone configuration
show running-config | include clock

Common Configuration Examples

Example 1: Enterprise Configuration with Multiple Servers

configure terminal

feature ntp

! Use company NTP servers in management VRF
ntp server 10.10.1.10 prefer use-vrf management
ntp server 10.10.1.11 use-vrf management
ntp server 10.10.1.12 use-vrf management

! Use public NTP as backup in default VRF
ntp server 129.6.15.28 use-vrf default
ntp server 132.163.96.1 use-vrf default

ntp source-interface mgmt0

clock timezone EST -5 0
clock summer-time EDT 2 Sunday March 02:00 1 Sunday November 02:00 60

ntp logging

copy running-config startup-config

Example 2: Secure Configuration with Authentication

configure terminal

feature ntp

ntp authenticate
ntp authentication-key 10 md5 Pr0d_NTP_K3y_2024 7
ntp trusted-key 10

ntp server 10.10.1.10 prefer use-vrf management key 10
ntp server 10.10.1.11 use-vrf management key 10

ntp access-group peer NTP-PEERS

ip access-list NTP-PEERS
  10 permit ip 10.10.1.0/24 any
  20 deny ip any any log

ntp source-interface mgmt0
ntp logging

clock timezone EST -5 0
clock summer-time EDT 2 Sunday March 02:00 1 Sunday November 02:00 60

copy running-config startup-config

Troubleshooting Guide

Issue: NTP Not Synchronizing

Symptoms:

  • show ntp status shows "Clock is unsynchronized"
  • No asterisk (*) appears in show ntp peers

Troubleshooting Steps:

  1. Verify NTP feature is enabled:

    show feature | include ntp
! If disabled:
configure terminal
feature ntp

  2. Check network connectivity to NTP servers:

    ping 10.1.1.10 vrf management
traceroute 10.1.1.10 vrf management

  3. Verify NTP packets are being exchanged:

    show ntp peer-status
! Check 'reach' column - should be 377 (binary 11111111)
! Check 'when' column - should be recent (< poll interval)

  4. Check for authentication mismatches:

    show ntp authentication-status
! Verify keys match between switch and server

  5. Verify correct VRF is configured:

    show running-config | include "ntp server"
! Ensure use-vrf matches your management connectivity

  6. Check firewall/ACL blocking UDP port 123:

    ! NTP uses UDP port 123
show ip access-lists

  7. Verify time offset isn't too large:

    ! If offset > 1000 seconds, NTP may refuse to sync
! Manually set clock closer to correct time:
clock set 14:30:00 15 January 2024

Issue: High Offset or Jitter

Symptoms:

  • Time drifts significantly
  • High offset values in show ntp peers

Troubleshooting Steps:

  1. Check network latency:

    ping 10.1.1.10 vrf management repeat 100
! Look for packet loss and high/variable latency

  2. Verify stratum levels:

    show ntp peers
! Stratum should be < 10 for reliable servers
! Lower stratum = more accurate

  3. Increase number of NTP servers:

    ! Use at least 3 servers for best accuracy
! NTP uses voting algorithm with multiple sources

  4. Check for upstream NTP issues:

    show ntp peer-status
! Verify your NTP servers are synchronized

Issue: Authentication Failures

Symptoms:

  • Peers show as unreachable despite network connectivity
  • Authentication errors in logs

Troubleshooting Steps:

  1. Verify authentication is configured on both ends:

    show ntp authentication-status

  2. Check key ID and values match:

    show ntp authentication-keys
! Key number and MD5 hash must match server

  3. Verify trusted keys are configured:

    show running-config | include "ntp trusted-key"

  4. Temporarily disable authentication to test:

    configure terminal
no ntp authenticate
! Test connectivity
! Re-enable after testing:
ntp authenticate

Issue: NTP Working but Time Still Wrong

Symptoms:

  • show ntp status shows synchronized
  • Clock shows incorrect time

Troubleshooting Steps:

  1. Verify timezone configuration:

    show running-config | include clock
! Ensure timezone matches your location

  2. Check daylight saving time settings:

    show clock detail
! Verify DST is configured if applicable

  3. Confirm NTP server time is correct:

    show ntp peers
! Check offset - should be small (< 100ms typically)

Issue: Cannot Add NTP Server

Symptoms:

  • Configuration commands rejected
  • "Invalid VRF" error

Troubleshooting Steps:

  1. Verify VRF exists:

    show vrf
! Common VRFs: management, default

  2. Check if management interface is configured:

    show running-config interface mgmt0
! Ensure IP address and VRF are configured

  3. Verify source interface exists:

    show interface mgmt0 brief

Best Practices

Redundancy

  • Configure at least 3 NTP servers for optimal accuracy and redundancy
  • Use diverse network paths to NTP servers when possible
  • Consider using both internal and external NTP sources

Security

  • Always use NTP authentication in production environments
  • Implement access control lists to limit NTP queries
  • Use use-vrf management to isolate NTP traffic
  • Monitor NTP logs for unusual activity

Performance

  • Use prefer keyword on the most reliable/accurate server
  • Choose NTP servers with low stratum (2-4 is ideal)
  • Select geographically close servers to minimize latency
  • Avoid using stratum 1 servers directly (use stratum 2)

Maintenance

  • Regularly verify NTP synchronization status
  • Monitor offset and jitter values
  • Update authentication keys periodically
  • Document your NTP server hierarchy

Time Initialization

  • When first configuring, manually set clock to within 1000 seconds of actual time
  • NTP will refuse to sync if offset is too large initially
  • Use clock set command before enabling NTP on new switches

Monitoring and Logging

Regular Health Checks

! Daily verification
show ntp status | include "Clock is"
show ntp peers | include "\*"

! Weekly detailed check
show ntp peer-status
show clock detail

Enable SNMP Monitoring

configure terminal

! Enable SNMP for NTP monitoring
snmp-server enable traps ntp

! Configure SNMP trap receiver
snmp-server host 10.1.1.100 traps version 2c YourCommunity

copy running-config startup-config

Syslog Monitoring

configure terminal

! Ensure NTP logging is enabled
ntp logging

! Configure syslog server
logging server 10.1.1.50 6 use-vrf management

! Set appropriate logging level
logging level ntp 6

copy running-config startup-config

Quick Reference Commands

Command Purpose
show ntp status Display synchronization status
show ntp peers List all NTP peers and sync status
show ntp peer-status Detailed peer statistics
show clock detail Current time and configuration
show feature | include ntp Verify NTP feature enabled
show running-config | include ntp Display NTP configuration
show ntp authentication-keys List configured auth keys
clear ntp statistics Reset NTP statistics

Appendix: Public NTP Servers

NIST (US Government)

  • 129.6.15.28 - NIST, Gaithersburg, Maryland
  • 132.163.96.1 - NIST, Boulder, Colorado

US Naval Observatory

  • 192.5.41.40 - tick.usno.navy.mil
  • 192.5.41.41 - tock.usno.navy.mil

NTP Pool Project

  • 0.pool.ntp.org
  • 1.pool.ntp.org
  • 2.pool.ntp.org
  • 3.pool.ntp.org

Note: For production use, deploy internal NTP servers synchronized to external sources rather than having all infrastructure devices query public servers directly.

Document Information

Target Platform: Cisco Nexus 93180
NX-OS Versions: 7.x, 9.x, 10.x
Last Updated: March 2026
Document Purpose: Configuration reference and troubleshooting guide

For Cisco NX-OS command reference, consult the official Cisco documentation for your specific software version.